This application is based on Japanese Patent Application No. 10-337108, filed November 27, 1998, the contents of which are incorporated herein by reference.
The present invention relates to an encryption/decryption unit and storage medium and, more particularly, to an encryption/decryption unit suited to encryption or decryption of data by a secret key block cryptology, and a storage medium.
With the recent advances in computer/communication technology, various types of data are communicated as digital data and stored. The necessity to encrypt these data to protect security and privacy has been increased. Conventionally, data have been encrypted by mainly using the DES (Jpn. Pat. Appln. KOKAI Publication No. 51-108701).
The DES (to be also referred to as the DES hereinafter), however, was an encryption algorithm designed in the 1970s, and cannot be claimed to be safe with respect to current technical advances. As cryptanalytic attacks on the DES, a cryptanalytic exhaustive key search attack, differential attack (E. Biham and A. Shamir, “Differential Cryptanalysis of DES-Like Cryptosystems,” Journal of CRYPTOLOGY, Vol. 4, Number 1, 1991) which is more efficient than the exhaustive key search attack, linear attack (Mitsuru Matsui, “Linear Cryptanalysis of DES Ciphertext (I)”, Encryption and Information Security Symposium, 1993, and the like are known.
Under the circumstances, the triple-DES is known as an attempt to enhance security against cryptanalytic attacks without greatly changing the popularized DES.
The triple-DES is a scheme of applying the DES three times to perform encryption. According to the procedure for this scheme, two keys are used for encryption by encrypting data with key 1, decrypting the data with key 2, and encrypting the data with key 1. In the triple-DES, since two keys in the DES are used, although each key has 56 bits, the substantial key length can be regarded as 112 bits.
In the triple-DES, however, since the DES is performed three times, the processing becomes longer than that in the DES.
The DES-SS scheme (Jpn. Pat. Appln. KOKAI Publication No. 10-116029) is known as another attempt to enhance the DES.
In the DES-SS scheme (to be also referred to as the DES-SS hereinafter), the safety of the DES is increased by using G functions in addition to F functions as nonlinear functions used inside the DES. In addition, DES-SS processing differs from DES processing only in the addition of G functions, and hence is more efficient than the triple-DES.
In addition, in the DES-SS, one key itself has 112 bits, unlike in the triple-DES using a plurality of 56-bit keys. The DES-SS is safer from the exhaustive key search attack than the triple-DES.
A 56-bit key in the DES is represented by 64 bits including eight parity bits. In the DES-SS, if the upper 64 bits of a key are equal in value to the lower 64 bits of the key, the DES-SS operates as an encryption function having the same function as that of the DES. This is a characteristic feature unique to the DS-SS. In an encryption/decryption unit having the DES-SS, therefore, the DES compatible mode can be set.
The principle of this DES compatible mode is based on the fact that when the upper and lower bit data of a key are equal, an input and output of the G function coincide with each other, i.e., identity conversion is performed. By using the DES compatible mode of the DES-SS, one encryption/decryption unit can perform two types of encryption. This makes it possible to reduce the unit size.
As described above, the DES, triple-DES, and DES-SS have their own merits and demerits. In consideration of the increasing demand for data encryption, increasing necessity of enhancement, proliferation of the DES, and the like, it is important to provide a technique of implementing enhanced cryptology while maintaining compatibility with the DES and its applied cryptographic techniques.
In implementing this technique, consideration must also be given to the efficiency of cryptography.
If, for example, the DES-SS is used, encryption safer than the DES and more efficient than the triple-DES can be performed. Consider the implementation of encryption compatible with the triple-DES by using the DES-SS. Although encryption compatible with the triple-DES can be implemented by stacking three DES-SS processes, the efficiency of this operation becomes lower than the triple-DES.
Each of the DES, triple-DES, and DES-SS uses a scheme called product encryption, in which a process having the same structure is repeatedly performed by using round functions. This type of encryption is susceptible to the above differential and linear attacks.